LOGBOOK

HELP

Quiz Entry - updated: 2026.07.07

What is a stack canary and how does it protect against buffer overflows?

A random "canary" value placed between the buffer and the return address; if an overflow corrupts it, the function aborts before returning.

Same stack but with a yellow CANARY placed between local buffer[32] and the saved frame pointer/return address; any overflow reaching the return address must pass through the canary, and on return the function checks the canary and aborts if it changed.

* A random canary sits between the buffer and the return address so an overflow must corrupt it first, letting the function detect the change and abort before returning. *

Stack layout with canary:

+------------------+
| Return address   |
+------------------+
| Saved frame ptr  |
+------------------+
| CANARY VALUE     | ← Random value set at function entry
+------------------+
| Local buffer[32] | ← Overflow would overwrite canary first!
+------------------+

How it works:

  1. Function prologue: compiler inserts code to place random canary value
  2. Function runs normally
  3. Before return: check if canary still has expected value
  4. If canary changed → buffer overflow detected → program terminates

Why it works:

  • Attacker must overflow through the canary to reach return address
  • Canary is random, attacker doesn't know what value to preserve
  • Any overflow that reaches return address will corrupt canary

Limitations:

  • Only detects overflow, doesn't prevent the initial write
  • Can be bypassed if attacker can leak the canary value
  • Doesn't protect against overflows that don't hit the canary

Enable in GCC: -fstack-protector (on by default in many distros)

Go deeper:

From Quiz: REVE1 / Overview of Computer Systems | Updated: Jul 07, 2026